Multisite AD Design

  • Thread starter Thread starter mk
  • Start date Start date
M

mk

My company has 2 sites (about 40 users each). Each site
has a T1 connection to the internet. There is no WAN
connection (ie: Frame Relay) connecting the sites.

We want to deploy Windows 2003 Server & Exchange 2003
Server. Each site will have it's own administrator.
Originally, I thought that a single forest with a single
domain and 2 OU's would be a good idea, however, without a
WAN link, how can we replicate AD & Exchange between the sites?

I've seen MS refer to two options:
- use firewall port mapping for all relevant ports
- user IPSec (more secure but harder to configure).
We are using ISA server, however I've read that IPSec won't
work with NAT (can we 'Publish' to get around that)?

Anyone have any experience here. Basically, we want to
connect two sites each of which have a T1 connection to the
internet but no direct connection to themselves.

tnx,
Michael
 
If you ask me, I would connect those sites together using VPN solution (VPN
router,...) and then setup sites and replication as that this would be
normal network.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
How would you set up the VPN? We have ISA server in both
locations, but supposedly AD Replication using IPsec over
ISA won't work due to NAT. Is there a workaround?

mk
 
-----Original Message-----
How would you set up the VPN? We have ISA server in both
locations, but supposedly AD Replication using IPsec over
ISA won't work due to NAT. Is there a workaround?

mk

using
VPN solution (VPN the
.
Click to expand...
Michale,

I agree with Matjaz! I would simply set up a Site-to-
Site VPN and be done with it. A "Site-to-Site" VPN is
typically a Firewall-to-Firewall VPN.

As an example, we have a client who has four offices:
Roanoke ( VA ), Blacksburg ( VA ) , Richmond ( VA ) and
Raleigh ( NC ). This particular setup is a bit different
from yours in that Roanoke is the "HQ" and the other
three office users connect to the Terminal Server in
Roanoke. However, we have a Firewall-to-Firewall VPN set
up between Roanoke and Blacksburg, a Firewall-to-Firewall
VPN setup between Roanoke and Richmond and we will soon
be setting up a Firewall-to-Firewall VPN between Roanoke
and Raleigh. It works really well!

HTH,

Cary
 
Do the remote sites have AD servers that replicate with HQ?
Getting Terminal Services to run is no big deal.
Getting AD to replicate across the VPN is more difficult.

What firewall are you using?

Are you using IPSec?

thanks,
Michael
 
Back
Top